Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
08-02-2024 19:15
General
-
Target
69d761d941e1a7a4721e267e91167b3a.exe
-
Size
170KB
-
MD5
69d761d941e1a7a4721e267e91167b3a
-
SHA1
7e83135738bdd132a8c9da031b4794852cfc9f8b
-
SHA256
c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
-
SHA512
4ccfe22c2a726f10e4956383fb12371cc07be797707ac6b5dba1a14a5b798c24503bd4f29302c525240dffd0a3f1d3775ff575a2fddb4443df974d1de5ce1295
-
SSDEEP
3072:lLWPQWxrjDjU6G+JLfeEXcUesyx0RcAJ+qVeYg:lLWPvjU6TFhXBes/c
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.ldhy
-
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw
Extracted
vidar
7.7
655507914130aa0fe72362726c206a7c
https://t.me/newagev
https://steamcommunity.com/profiles/76561199631487327
-
profile_id_v2
655507914130aa0fe72362726c206a7c
Signatures
-
Detect Vidar Stealer 5 IoCs
-
Detect ZGRat V1 1 IoCs
-
Detected Djvu ransomware 14 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 25 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\69d761d941e1a7a4721e267e91167b3a.exe"C:\Users\Admin\AppData\Local\Temp\69d761d941e1a7a4721e267e91167b3a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\5FFB.exeC:\Users\Admin\AppData\Local\Temp\5FFB.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\77EF.exeC:\Users\Admin\AppData\Local\Temp\77EF.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\77EF.exeC:\Users\Admin\AppData\Local\Temp\77EF.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\2b196e88-e8e4-47a0-a861-a861916d18d5" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\77EF.exe"C:\Users\Admin\AppData\Local\Temp\77EF.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\77EF.exe"C:\Users\Admin\AppData\Local\Temp\77EF.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build2.exe"C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build2.exe"C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 13807⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build3.exe"C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build3.exe"C:\Users\Admin\AppData\Local\cd92bdc6-9975-4773-969c-862c3611cc85\build3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FE2F.exeC:\Users\Admin\AppData\Local\Temp\FE2F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 962⤵
- Loads dropped DLL
- Program crash
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DFC3F043-70F1-4491-AD7C-E0BC4F0CEFE6} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1086.exeC:\Users\Admin\AppData\Local\Temp\1086.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\141F.exeC:\Users\Admin\AppData\Local\Temp\141F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 6482⤵
- Loads dropped DLL
- Program crash
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52b33b0833148dc664d6b13c3f7e97bc2
SHA1184dfbee227e2492d975e14298f5912a8f357fff
SHA256fede4adce8cf32bb9dc17a6f389971ebce68ef8415f949f5690b04612ee8e5a3
SHA512ec0a774a532b2a52619ef321fcc779f13d89d10a0a1bb0e73f281dada30a1e625641acd6c658f9fff9171eaffd5c9d83ce063334f564f2700b1e09820d3dabfb
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
410B
MD5b775b1791039fb5be91036cbd633a13c
SHA1f61ee344cb5585700b92771519c55ba2440f01bd
SHA2566e8f0c9745c2cfc5dc83633d5cbd3bdbb654b29140d352fb46e50593fdda78a8
SHA512e05b2b59295eb378bea67e9435263b53961b4985ff6ab0a18ee506211c20fc15578294cfd536e0bc9a8f445624d377fb97b90f832ede55af769c5cac641f36d7
-
Filesize
344B
MD52b7d2b41bb267a8e2a504dbe338b072f
SHA1c7db300bfaac28fd25fa1898bdf73753da37d7d4
SHA256969896b92e53134f0f45c95333d78af5a48fe8cb03261dfe089a5eb4f0636860
SHA512204f123c1bb911e0aff9e383eabb53b7d3b82b13dabf55865d6683b74d5dc38e7fb01520ee03caef8dfbbb83bdf377adfabde2456f3a1ddc0c2c66abcbb92a01
-
Filesize
344B
MD5fcc7269695d063feb71302a3f3d35118
SHA17b8b90cba303e62adffa12031c9fadb0ec6c4cad
SHA2563405de54f2013dc89b5fcd1faa2d87d10c2ff4ed51662fc9d3de5338325f2df0
SHA5123eccabba1c684cc6b7ee79a46e15a04812ead5c5bbdcd1df88c1eab789956d0943b40fedf2d7f4de89ab7b1c3565de89b6752f4247121e028cec51b1303a1618
-
Filesize
344B
MD5cf8052d87b89a17e82deb3e22008e141
SHA11716f586bd1aaef5a9917d5a59fcfed617021153
SHA256ad470cdabc3717634dfe989283e41d288597e28e213b42fa896685ba4749a5f5
SHA512d61eed1b7cfab8d64b70f51913569f004a0afc88b64725cdf2f6663b384413d97fc7d38f5e0c671e69888a5b32383511bbe8913c7980fe65ea816c6e4822ad21
-
Filesize
392B
MD535644157dd12245df80c1fd86e1acfa8
SHA19a28c0cf357dd8b7f64452917ef2b7f0a47e74ef
SHA2561eb1a3e3dd6e809513b25aedcdbbf22f31cfd018e482635e44ba3a0e486fd3a9
SHA51208c07181e1b4902cab992d32261d4d17d21be306bc2c8a6e6ce0a7f929930b9204a4eea413172d299bdf6359b22efefa7398a1d647899f0b1746b434e45c51fa
-
Filesize
242B
MD5cf4873d55d3d51a4167d2f077170e7f7
SHA1f644056bf5a9766687985f7ac5eacaa784f8c86a
SHA256006c41560972fe54a8c74a42d44bfa72c4a8fb83d335450a500fb281a905bcc9
SHA512da1d34a008615f456c9da264740b91d65f335fd9b889c3da4d448fbc3d9cd6aec577d4863631a9217a59298912863bf3ea5a0f87aa7d7dec98a0fdbfa428b5f7
-
Filesize
952KB
MD5422a9c5cfa6370c93a4bd5db29c3d196
SHA1caaf89e601fde4bc9dbe3c0edda8e7efa5062e17
SHA25682311d6280999d5c9d368377e30b8f55abe2a3d7d98f8c074f6e40c5be7cd965
SHA5122caf014595f65caa26bd7c8396f981ee452ef01fdf35dde3e9e2e950855f564e97026f71c52b9a49526f9bca68d4f5c6d4bc9ba51d4b8330e38e4b4b84214e96
-
Filesize
68KB
MD5cd2b5a09efdac0ffbd76111f44733138
SHA16db6bc9dba96632213d1077155725f388237e268
SHA2561c6b4fadf6a74e1dfacd17468bdb0743ec21a1bdf3fcd4c3f58bf727efb1c74c
SHA51216fa87494baa4d65bd170d346efe082b998689d0c3488cec764170f5c0e63a7a4ad2fc51f18aa710aa8bca1ed84af99965baae692a81cead192cfa63aa37c714
-
Filesize
170KB
MD569d761d941e1a7a4721e267e91167b3a
SHA17e83135738bdd132a8c9da031b4794852cfc9f8b
SHA256c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
SHA5124ccfe22c2a726f10e4956383fb12371cc07be797707ac6b5dba1a14a5b798c24503bd4f29302c525240dffd0a3f1d3775ff575a2fddb4443df974d1de5ce1295
-
Filesize
699KB
MD5a2b38ede1742205c46b74ce044287fb9
SHA18415a9ab51551583f3ace6916816c4474a2ffb9b
SHA256324a8068a203d94f77eb773e1491ca27fd52b5a2b5b220f50d3a9b86f9d69965
SHA5129fb2d5c030bedcb71132db3c019fdf7131826e48cb4c64d779bd2e853ab110d8fd384e3ed07946ee8bd055c880e17510488b6edc68421a99a76bfd57872694d4
-
Filesize
6.0MB
MD595e59305ad61119cf15ee95562bd05ba
SHA10f0059cda9609c46105cf022f609c407f3718e04
SHA256dd87f94c961b9612bbd65761bee6ed15318d63652f262e2c425bd177a2341a19
SHA5125fbcfe79162460080e0c3944df747835f0b8f2cdb35b038eb69eadf2eb85a209f7d5432a328d0f0eeafba036012f48793e3c08d94531b98a12a498bcf3b00ad2
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
332KB
MD5a0cc1241aa4803dc23ff778af73e3768
SHA175d07c8f1784e8e64e7520c2666bc63c2a477ffa
SHA256c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466
SHA5123ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755
-
Filesize
688KB
MD5be6f1b14060f4ecf205e94c2b58ae354
SHA14cb491a84f6d6fbfbc3ed181bb7c31ba95e8cab9
SHA2568c4fad55cf26736db5f8f726f9a73d47a57093fd69b61c820502e7e3c5cdb0a4
SHA512a790265663bb0092b707168e2fb1506858e42df777ff3ad6ae7b188c5f0088ece6824eb3ad5000b0925ccd388ee8cbc3ea3c4ecfdcf997c11e520dab1116b1bb
-
Filesize
485KB
MD5908a4062edff8cad5cb098b24e134e01
SHA1a5801e467b801851ab6e81cfaa6cac5d325610ff
SHA256342829a4d4234705183fada2e8d778480c4c0dcb8863393f14488adb7dd8e83c
SHA512f94f806078c8762d6505fba059c5b2119db191eea01705568a8ef4c8ef53d42038314bed5a9d5739ee3e0f7970ba9a9bf391b629e1c13e589708e7002dfdf5a6
-
Filesize
192KB
MD5a8b5133d323a5ba1dd84cb4ae9371329
SHA1057f383812004b8f012fc8b24ff58a7c472ed76d
SHA256ed9b0e59b4d9dab61b0c6dcb04eef72818e0319c5c18e483b433489049227e79
SHA512fec60f9553cbd99de7e498d38a270f40cde99c60ba9bd2ab0f019747dcdc75ee6a217ea9318992cbe7eab689017a15840700bdf16721f6dbf9bc5d100e793af9
-
Filesize
448KB
MD51b12aa67ecaf0a05b840ea7b43d5209a
SHA1d970778f4ef2abcd73736b8b504e0ceeb0aff2db
SHA256287a66cd7ed7649ab704c28c9909cac9090d859bcbdc1b1fd37164e5fd3513e4
SHA51208e6eab3b3863abf1ce161f0b7520109a0e34ec0cd6828735a9de8755e80c003e819a9b821dcc6e23b04bb237a49c018d1313b86f819626cc77bf761a0f0d414
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
1024KB
-
Filesize
196KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
16KB
-
Filesize
68KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
39.8MB
-
Filesize
1024KB
-
Filesize
39.8MB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
88KB
-
Filesize
104KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
39.8MB
-
Filesize
1024KB
-
Filesize
39.8MB
-
Filesize
1024KB
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
960KB
-
Filesize
6.9MB
-
Filesize
968KB
-
Filesize
6.9MB